Bank of Ireland fined €463,000 for data breaches

Bank of Ireland has been fined €463,000 by the Data Protection Commission for data breaches affecting more than 50,000 customers.

It follows an inquiry into 22 personal data breach notifications that Bank of Ireland made to the Commission between 9 November 2018 and 27 June 2019.

One of the data breach notifications affected 47,000 customers.

The breaches related to the corruption of information in the bank's data feed to the Central Credit Register, a centralised system that collects and securely stores information about loans.

The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.

The Commission found that 19 of the incidents reported met the definition of a "personal data breach" under the General Data Protection Regulation (GDPR).

It also found that in a number of cases, Bank of Ireland failed to report the personal data breaches without undue delay and also failed to notify the impacted customers without delay.

As well as the €463,000 in fines, the Data Protection Commission has issued Bank of Ireland with a reprimand and has ordered the bank to bring its processing into compliance with data protection regulations.

In a statement Bank of Ireland said it fully acknowledges and sincerely apologises for the breaches.

"The bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way," the bank said.

Bank of Ireland says it has notified all impacted customers and has rectified the inaccurate information reported to the Central Credit Register in all but 20 cases which will be corrected shortly.

It said it has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.

"The Data Protection Commission has mandated further measures and work has already begun to put these in place," the bank said.

"The bank has engaged fully and proactively with the Commission during its inquiry and will continue to do so as it implements these additional measures as quickly as possible."